JPH10507324A - Loving software license for hardware agents - Google Patents

Abstract

(57) [Abstract] An integrated circuit component to enforce licensing restrictions. The enforcement is performed by remotely transmitting access privileges to execute the licensed program from the integrated circuit component to other similar components. An integrated circuit component comprising: a non-volatile memory that stores a uniquely specified key pair (11, 12), an authentication device certificate (80), and a manufacturer public key (16) together with a cryptographic algorithm; Executes a cryptographic algorithm to process information entered into the element, and internally generates a uniquely designated key pair within the integrated circuit component and a processor that sends the processed information to volatile memory A random number generator.

Description

DETAILED DESCRIPTION OF THE INVENTION   Loving software license for hardware agents                                Background of the Invention Field of the invention   The present invention relates to licensing software. Specifically, the present invention provides the first License software from an authorized node with Access privileges to run software programs to specific user licenses Transfer to an unauthorized node with a second hardware agent without conflict The present invention relates to an apparatus and a method for performing the method.BACKGROUND OF THE INVENTION   Early in the development of computer systems, modernized companies generally A room with several "dumb" terminals connected to a frame I was using a centralized mainframe of the size. Smaller, faster and higher performance computers With the advent of pewter, many of these modernized companies have their centralized main Remove the frame and replace it with some standalone computers, or personal Computers, each user owning his or her own personal computer Use a distributed network (for example, a local area network) I chose the one to use.   Recognizing this decentralization trend, many software developers have been "user specific" License your software according to a specific licensing scheme, commonly called a license. License the software. User-specific licenses are generally Allow a specified number of individuals to operate the software program at any time in a specific manner. You. Therefore, the license is not tied to a specific node, but to a selected number of individuals I do. For the purposes of this application, a “node” is a computer, preferably including the present invention. Intelligence, such as data, printers, facsimile machines, and the like "Is defined as a hardware product having". " Includes user-specific software A key issue to follow is the potential licensing revenue of software developers. Unauthorized use and / or copying of licensed software It may be indirectly conducive.   Over the years, software developers have found that their software is user-specific. How to protect against use and copying beyond the terms of the license But the company licensee has been licensed by their own employees. Significantly reduce potential subrogation due to illegal use or copying of software I've been trying. Therefore, software that exceeds user-specific license conditions Preventing the spread of software is not licensed to software developers and companies Both have similar benefits.   Currently, compliance with user-specific software licenses is based on the dongle gle) "is performed by the use of physical hardware devices. Do Is a package with the licensed software when first purchased Physical hardware device that is being used. This is generally -Connect to the parallel port of a node such as a computer. Various times during execution In that respect, the Licensed Software Program is not Send an authorization message (called "call") to the active device. Dong The active devices in the dongle are confidential information stored inside the dongle (hereinafter referred to as “Yes Process the call using a valid license token) and return a message Generate a message (called a "response"). The software program sends this response Compares to the expected response and allows further execution only if the two responses are the same. Yes.   Therefore, the user copies the licensed software program and Can be loaded on multiple personal computers, but the software Can run the hardware program on the first connected dongle Computer only. Copy licensed software programs to other To run on a Sonal computer, the first personal computer Must remove the dongle and connect it to another personal computer. No. As a result, the software cannot be used on the first personal computer. It will work. The number of dongles given to a company licensee is generally user specific. Licenses are limited to those with software license agreements Software software program leaders Obviously, it will not cause any adverse financial impact.   Dongles ensure compliance with user-specific licenses, but some There are drawbacks. One disadvantage is that the dongle must be physically distributed to customers That is. Therefore, systems for electronic distribution of software (“Content distribution Called "cloth") has been proposed and implemented to increase convenience and reduce distribution costs However, the dongle as a physical device still uses traditional distribution methods and associated costs. Need. Dongle to protect software developers' economic interests As required, the customer can (i) get the dongle directly at the selected location Then attach the dongle to the node before licensing Grams cannot be used or (ii) content prior to intended use Licensed software in anticipation of the time distributors will mail dongle to customers ・ Must endure the troublesome work of ordering programs. In any Even so, dongles hinder the efficiency and interest of content distribution.   Another disadvantage is that removing and attaching the dongle is a time consuming process. is there. In companies that compete for time, exchanging dongles can affect the overall performance of the company. Another disadvantage is that the dongle is constantly removed and put on Companies are waiting for a new dongle with a higher probability that the guru will be damaged and inoperable Otherwise, you can use the software application again Absent.   Another disadvantage is that while licensing is for individuals, dongle is generally It is to be attached to. Thus, if the user is on another machine (for example, at home) Personal computer), the user owns the dongle Unable to use licensed software programs unless you .                             BRIEF SUMMARY OF THE INVENTION   Based on the above, electronic dongle as an integrated circuit component internally mounted in the node It is desirable to produce an encryption device having the function of a guru. Therefore, the present invention The purpose is to include a unique digital certificate used in remote authentication of integrated circuit components. Provided is an encryption device as an integrated circuit component, including a storage element that stores data partially. Is Rukoto.   It is another object of the present invention to internally generate a unique public / private key pair, Without having to store the secret key, thereby saving To provide unique integrated circuit components that prevent the use of   It is another object of the present invention to provide a method for verifying or manufacturing another To enable secure communication with various integrated circuit components. Providing an integrated circuit component that internally stores the public key of another entity It is.   Another object of the present invention is to provide a robin system that does not require frequent physical manipulation of hardware. Providing integrated circuit components that provide a roving software license Is to provide.   This integrated circuit component is commonly referred to as a hardware license and is used for identification purposes. And (i) a non-volatile memory for storing a unique public key / private key pair. And (ii) a key that verifies that the key pair is authentic. Digital certification and (iii) other integrated circuit components and other components manufactured by the manufacturer. Selected entities (integrated circuit configurations) that allow communication between such components (Preferably the manufacturer of the element). Non-volatile memory can also be used to store cryptographic algorithms. The integrated circuit component is a volatile memory that stores information processed by the processing device. And information from other similar components in encrypted or decrypted form via the communication bus Interface to send and receive and generate a unique public / private key pair And a random number generator for generating                             BRIEF DESCRIPTION OF THE FIGURES   Objects, features, and advantages of the present invention will be apparent from the following detailed description of the invention. Would.   FIG. 1 is a block diagram illustrating a two-way symmetric key encryption and decryption process. .   FIG. 2 is a block diagram illustrating a two-way asymmetric key encryption and decryption process. You.   FIG. 3 is a block diagram showing the digital certification process from a credit authority. .   FIG. 4 is a block diagram of a computer system incorporating an embodiment of the present invention. FIG.   FIG. 5 is a block diagram showing an embodiment of the present invention.   FIG. 6 is a flowchart showing how a pair and a digital certificate are implemented on an integrated circuit component. It is a chart.   7A to 7C illustrate a second hardware age with license privileges. License token between the agent and the first hardware agent The first hardware agent sends a second hardware 9 is a flowchart illustrating an operation of establishing communication with an agent.                             Detailed description of the invention   The present invention provides a roving software between appropriately configured hardware agents. Transfer software licenses and distribute them accordingly Apparatus and method for eliminating the need for physical hardware devices. In the following description, Many details are set forth in order to provide a thorough understanding of the present invention. However, Those skilled in the art will be able to exemplify the invention without departing from the spirit and scope of the invention. It can be seen that it can be implemented using many different embodiments than Is. In other instances, well-known circuits have been used in order not to obscure the present invention unnecessarily. Elements and the like are not described in detail.   In the detailed description, some cryptographic relationships may be used to describe a particular property or quality. Are frequently used, but are defined here. "Key" is conventional Parameter of the encryption algorithm or the decryption or both. Specifically, the key is a sequential arrangement of binary data having a length of n bits ("string"). (Where “n” is an arbitrary number). A "message" is a series of buses Information (eg encryption key address and data) transferred in the cycle Is generally defined as This information includes the call and the return response. "D Digital proof '' is defined as information related to the entity that initiates the communication. And typically publicly available credit authorities (eg, banks, government agencies, trade unions) Is the public key of the entity that was encrypted using the private key . A "digital signature" is similar to a digital certificate, except that the sender Used to authenticate the message itself.   In recent years, digital information has been transmitted from one place to another. It is becoming more desirable. As a result, many entities are now , Which is unambiguous and unambiguous for legitimate recipients Is transferred in a manner that cannot be understood by unauthorized recipients. Generally, cryptography is It works according to one of two conventional techniques. That is, symmetric key encryption or Or asymmetric (or public) key encryption or a combination of those encryption techniques. You.   Referring to FIG. 1, an embodiment of a symmetric key encryption technique is illustrated. This technique In the law, the same, i.e., symmetric, secret key (labeled "SK") 1 Using the original message transferred between the first node 10 and the second node 15 5 to form an encrypted original message 20, It is necessary to decrypt the original message 5 by decoding the page 20. Such encryption and And decryption is performed, for example, by using a data encryption algorithm (more commonly referred to as ) Using well-known conventional cryptographic algorithms. Original message 5 is (i) encrypted at the first node 10, (ii) telephone line and the like Transfer from the first node 10 to the second node 15 using a public area 25 such as And (iii) decrypted by the second node 15. However, this technique uses a secret key (" SK ”) must be set in advance, so if there are many users, support Difficult to do.   Referring now to FIG. 2, an embodiment of the asymmetric key technique is illustrated. this The technique consists of two separate keys (“public key” and one used separately) for encryption and decryption. And "private key"). From the first node 10 to the second node 15 "Public" of the second node 15 key pair to establish a two-way communication Key 16 (labeled “PUK2”) is stored in first node 10 , Generally the first node 10 is an asymmetric “RSA” algorithm well known in the encryption arts. It is used to encrypt the original message 30 based on the system. This allows An encrypted original message 35 to be forwarded to the second node 15 is formed. The first no Public key and private key pair 11 and 12 ([PUK1] and “PRK 1 ") are further stored in the first node 10.   The “private” key 17 (signed as “PRK2”) of the key pair of the second node 15 ) Is known only by the second node 15 and as shown in FIG. Decryption of encrypted message 35 from first node 10 based on the RSA algorithm Used for many purposes, including numbers. However, this technique is not (E.g., commercial spies) are legitimate entities (e.g., employees, joint ventures). Work, etc.) to disrupt work flow or obtain confidential information Allow any attempt to send fraudulent messages to other legitimate entities I'm sorry. Therefore, additional protocols are generally used to authenticate the message. And justify the entity that sends the message.   The first time a communication is established between parties that are not known in advance, the sender's authentication ( That is, verify that the sender of the public key is in fact the true owner of the public key ) Is the problem. This problem is typically caused by a digital certificate in the transmitted message 50. It is avoided by incorporating 45. Digital Certificate 45 is a mutual credit authority Party 55 (eg, a bank, government agency, trade union, etc.) signs the signature (“SM”). The public key ("PUK") of the node that initiates communication using the 1 ") 11 is encrypted using the private key (" PRKTA ") 57 of the credit authority 55. Issued by encryption. Therefore, trying to use PUK2 16 Even if an unauthorized attempt is made, the transmitted message will not be readable by the recipient. The answer will just be returned. The selected credit authority 55 is a related party. Depends on For example, two individuals employed by the same company may both have Trust the certificate issued by the company's corporate security authority. However , Employees of the two independent corporate entities may have their own security Not only their authentication, but also some Requires certification from an industrial organization.   In this method, a plurality of operations are executed in parallel to create a transmission message 50. . One operation is to generate a symmetric secret key (“SK”) 60 via the DES algorithm. The original message 40 is encrypted using the Forming an encrypted message 65 that is placed in the page 50. Hara Messe A hash algorithm 70 (eg, “MD5”) is also applied to the An outgoing message digest 75 is formed. Outgoing message 75 further encrypts using the first node's private key ("PRK1") 12. To form a digital signature 80, which is included in the outgoing message 50 . In addition, a symmetric key (“SK”) 60 is used to generate a second key based on the RSA algorithm. Encrypted using the public key (“PUK2”) 16 of the 5 and further included in the transmission message 50.   With continued reference to FIG. Transmitted from the first node 10 via the public area 25; Upon receiving the transmitted message 50, the second node 15 sends the private key (PRK2). )) 17 to decrypt SKenc 85 and issue the public key ( "PUBTA") to decrypt the digital certificate 45, SK60 and PUK1.   Obtain 11. Using the SK key 60 and the PUK1 key 11, the encryption source The message 65 and the digital signature 80 are decrypted, and the transmitted message digest 75 and the original message 40 are respectively extracted. Next, the first message Apply the same hash algorithm 85 as performed at node 10. The result Result 90 (referred to as the "received message digest") Compared to Egest 75. Send message Digest 75 is received message The same as the digest 90, communication between the two legitimate nodes is maintained. You.   Referring to FIG. 4, an implementation of a computer system 100 using the present invention The configuration is shown. The computer system 100 includes a host processor 105, a memory device 110, an input / output (“I / O”) control device 115, And a cryptographic device 12 called a “hardware agent”. Multiple buses Agents are connected to each other via system bus 130, thereby Information can be transmitted between these bus agents.   In this embodiment, only the host processor 105 is shown, but the As is well known in the computer arts, a plurality of hosts -It is contemplated that a processor may also be used. Further, the memory device 1 10 is a dynamic random access memory ("DRAM"), read only Memory ("ROM"), video random access memory ("VRAM") ), And the like. The memory device 110 includes a host program. Information used by the processor 105 is stored.   The input / output control measure 115 is provided between the input / output bus 135 and the system bus 130. Interface, which is coupled to the system bus 130 or the input / output bus 135. Provide a communication path (ie, gateway) for transferring information between specified components . I / O bus 135 is connected to at least one peripheral in computer system 100. Transfer information to and from the device. This includes a display device 140 (for example, (For example, a cathode ray tube, a liquid crystal display, etc.) Alphanumeric input device 145 for transmitting command selection (eg, alphanumeric keyboard) , Cursor control device 150 (for example, mouse, track Mass data storage 155 (such as a ball, touch pad, etc.) For example, magnetic tapes, hard disk drives, floppy disk drives Live), information transmitted from computer system 100 to other devices. Transmission / reception device 160 (fax machine, modem, scanner, etc.) A hard copy device 165 that provides a visual representation of the shape (eg, a plotter, And the like, but are not limited thereto. The computer system shown in FIG. The stem may be a part or other of these or other components. Can be used entirely.   Next, referring to the embodiment of the present invention shown in FIG. The host 120 includes a host processor 105, a memory and an input / output control device. (Not shown) coupled to a system bus 130 that establishes a communication path therewith. Hardware agent 120 protects die 121 from damage and harmful contaminants. In the integrated circuit component package 122 to protect the A single unit in the form of a encapsulated die 121 (eg, a microcontroller) Including integrated circuits. Die 121 includes a processing unit 123 coupled to a storage element 124. , A bus interface 125, and a random number generator 126. Bus interface The hardware 125 transmits data from the hardware agent 120 to another device (for example, Host processor, other hardware agents in other devices, etc.) Enable trust. Processing unit 123 secures die 121 Performs calculations internally within the environment to ensure a valid connection with authorized recipients. Such calculations include the execution of specific algorithms and protocols, device-specific Circuits that generate public / private key pairs and the like (eg, random properties The activation of the random number generator 126, which is preferably Processing device 1 23 confuses the computer system and its private keys and other information Prevent access to private keys by virus attack, a common method of obtaining As shown in FIG.   The storage element 124 may be a suitable cryptographic algorithm such as “RSA” or “DES”, Public key / private key pair 127a, whether the value pair is authenticated Digital certificate for verification (labeled "DC") 127b And integrated circuit components and other similar devices manufactured by the manufacturer thereof. The public key of the manufacturer of the integrated circuit component ("PUKM") that allows communication between ) Includes a nonvolatile memory element 127 such as a flash memory for storing 127c. (Described in detail in FIG. 6). To retain the contents even if the power is turned off, The non-volatile memory 127 is mainly used. The memory device 124 is a processing device 1 23 to store a particular result from the random access memory (" RAM ") 128.   The hardware agent 120 is a system agent for security enhancement. Although implemented as a peripheral device connected to the bus 130, the hardware Gent 120 can be implemented at the PC platform level in several other ways (eg, Automatic decryption or encryption of information coming in and going out of the hard disk, As a disk controller or a PCMCIA card that does both). It is contemplated that it can be applied. Other alternative embodiments are described below. Multi-chip module with hardware agent and host processor It would be one component of the In addition, hardware agents Is described in connection with the PC platform. Software agents are located in nodes such as fax machines, printers and the like. Or on the communication path between the computer and the input / output peripherals Is intended.   Referring to FIG. 6, a flow chart of the operation for making the present invention is shown. . First, at step 100, a hard drive is performed according to any conventional and well-known semiconductor manufacturing technique. Make a wear agent die. Next, the hardware agent Encapsulate the die in a semiconductor package to form a body (step 105). Place hardware agents on the certification system, The electrical and mechanical connection between the hardware agent and the certification system. A connection is established (step 110). The certification system is a hardware agent Coupled to a printed circuit board that generates and receives electrical signals for proof of Equipped with a carrier. The certification system also requires a The storage device further includes a storage device (for example, a database) for the generated public key. That Later, the certification system powers the hardware agent and The agent supplies power to the random number generator and Allows the random number generator to internally generate a device-specific public / private key pair. To be able to   After the public / private key pair is generated in the hardware agent, Send the public key of the open key / private key pair to the certification system (step 120) ). The public key is stored on a storage device, Compare with the public key generated before the agent (step 125). By any chance If the public key is the same as one of the previously generated public keys (step 13 0), the certification system sends another public key to the hardware agent Notify to generate a private key pair (step 135) and continue this process. Ensure that each public / private key pair is unique, continuing from step 120 To   If the public key is unique, the storage is updated with that unique public key ( Step 140). Thereafter, the certification system proceeds to step 145, where the key pair is authenticated. Unique device certificate for verifying whether the device has been authenticated (hereinafter referred to as “authentication device certificate”). Call). Authenticator certificates are created using a private, private manufacturer key. Include at least the public key of the device that has been "signed" (ie, roughly Encrypts the device's public key using the manufacturer's private key). This authentication device Certificate to hardware agent with manufacturer's publicly known public key Enter (step 150) the hardware agent will enter the unique public key and private Permanently store the key pair, authenticator certificate and manufacturer's public key in its non-volatile memory. Program (step 155). However, instead of the manufacturer, other entities (E.g., the distributor's public key), in which case the authentication It is contemplated that a change in the certificate will also be required. At this point, the hardware agent Agents are physically unique, which allows them to communicate with other hardware agents. Trust can be established safely.   After the hardware agent is created, it is shown on the computer shown in FIG. ・ Implement it in an electronic device such as a system. This is an authentication procedure such as calling / response. Licensee and hardware age using the By establishing a secure communication path with the Can be. After the communication path is secured, the secure communication link A valid license token through the hardware agent's flash Download to memory. Transfer between hardware agents License token embedded in multiple hardware agents Rarely in the “enabled” or “disabled” state, It is further contemplated that the token may be enabled or disabled.   Referring to FIGS. 7A and 7B, two hardware agents An embodiment of mutual remote identification of authentication is shown. In step 200, the first hard "Unauthorized" first node (i.e., the current Currently not authorized to operate licensed software applications License) to operate licensed software applications Authorized second node incorporating a second hardware agent A communication link is established with the host. This communication link can be a modem, network And can be established via any conventional communication means. First hardware The agent sends a message containing its unique authenticator certificate to the second hardware. A) Output to the agent (step 205). Both hardware ages Ent's non-volatile memory is programmed with the manufacturer's public key ("PUKM"). The second hardware agent is the manufacturer's public key ("P UKM ") and decrypt the authenticator certificate using the first hardware agent. The public key of the client is obtained (step 210). Thereafter, steps 215 to 220 Then, operations similar to those described in Steps 205 to 210 are also performed. Allows the first agent to use the public key of the second hardware agent ( “PUK2”).   Then, in steps 225 and 230, the second hardware agent Uses the first hardware agent's derived public key to select The challenge message is encrypted according to a specified encryption algorithm (for example, RSA). And sends the challenge message to the first hardware agent. You. In steps 235 and 240, the first hardware agent Decrypts the challenge message using the private key ("PRK1") of the The message is sent to the second hardware agent's public key (" PUK2 ") to generate a response message by encrypting Send a response message to the second hardware agent. Then, the second The hardware agent decrypts the previously transmitted manufacturer's device certificate Decrypts the response using the private key ("PUK1") previously determined (Step 245). In step 250, the second hardware agent Compare the original challenge message with the decrypted response message and if they are not the same Terminates the communication (step 255). If the same, in steps 260 to 290 The same calling / response procedure as in steps 225 to 260 is performed, and the first hardware The information sent from the hardware agent to the second hardware agent. Verify that the client is actually receiving. These steps (step 22 5-290), both hardware agents authenticate Agent and the communication between them is secure Is guaranteed (step 295).   Referring now to FIG. 7C, the second hard drive is secured under secure communications. A valid license token in the hardware agent to the first hardware An embodiment of a process for securely transferring to an agent is shown. Safety protection When the established communication is established, the first hardware agent You have a valid license token for the hardware agent An inquiry is made as to whether or not it is (Step 300). Embedded second hardware agent The licensed system does not have a valid license token (step (Step 305), the communication between the hardware and the agent ends (step 310). ). However, a system incorporating a second hardware agent is effective The first hardware agent if you have a valid license token The message is transmitted accordingly (step 315).   When the first hardware agent receives this message, the first hardware agent Licensed software application to hardware agent A transfer request of a valid license token allowing the operation is issued (step 320). The second hardware agent transfers a valid license token Responds to the transfer request, thereby losing its license privileges (step 325). The first hardware agent has its valid license After receiving the token and storing the token in its non-volatile memory, The second hardware agent sends a message that the license token has been received. Agent to make available a copy of the licensed software. (Step 330). At this point, the communication ends (step 335). .   Interrogation between steps 320 and 325 and between steps 325 and 330 / An additional level of protocol integrity is obtained by introducing a response sequence. It is contemplated that the This allows the previous license token transfer "Replay" of the sending event is prevented.   In parallel with the communication between the first and second hardware agents, each hardware Agent stores the contents of the transmission as an audit log in non-volatile memory . Therefore, the second hardware agent disables the copy Before the first hardware agent makes the copy available If the connection is lost, both hardware agents will reconnect. Review the audit log later to see which hardware agent (if any) That you have permission to operate the license software application Can be   The invention described herein can be implemented in many different ways and using many different configurations. Can be measured. Although the invention has been described with reference to various embodiments, One of ordinary skill in the art will be able to conceive other embodiments without departing from the spirit and scope of the invention. There will be. Therefore, the present invention should be determined by the appended claims. .

────────────────────────────────────────────────── ─── Continuation of front page    (81) Designated countries EP (AT, BE, CH, DE, DK, ES, FR, GB, GR, IE, IT, LU, M C, NL, PT, SE), OA (BF, BJ, CF, CG , CI, CM, GA, GN, ML, MR, NE, SN, TD, TG), AP (KE, MW, SD, SZ, UG), AM, AT, AT, AU, BB, BG, BR, BY, C A, CH, CN, CZ, CZ, DE, DE, DK, DK , EE, ES, FI, FI, GB, GE, HU, IS, JP, KE, KG, KP, KR, KZ, LK, LR, L T, LU, LV, MD, MG, MK, MN, MW, MX , NO, NZ, PL, PT, RO, RU, SD, SE, SG, SI, SK, SK, TJ, TM, TT, UA, U G, UZ, VN

Claims (1)

[Claims] 1. Processing means for processing information within the integrated circuit component;   A unique key pair and authentication of the manufacturer of the integrated circuit component, coupled to said processing means First storage means for storing a digital certificate and a public key;   Storing the information processed by the processing means, coupled to the processing means; Second storage means,   Means for generating the unique key pair coupled to the processing means;   The integrated circuit component and the second integrated circuit component coupled to the processing means; Interface means for enabling communication between The integrated circuit component comprising: 2. 2. The method according to claim 1, wherein the first storage unit includes a nonvolatile memory. On-chip integrated circuit components. 3. The authenticated digital certificate is encrypted with the manufacturer's use key The public key of the manufacturer of the integrated circuit component. An integrated circuit component according to claim 2. 4. The first storage means further includes a cryptographic algorithm. Item 3. An integrated circuit component according to item 2. 5. The second storage means includes a random access memory. An integrated circuit component according to claim 1. 6. 6. The integration circuit according to claim 5, wherein said generation means includes a random number generator. Road components. 7. The interface means includes a bus interface coupled to a bus Providing a communication link between the integrated circuit component and a second integrated circuit component to provide An integrated circuit component is transmitted from the second integrated circuit component to the integrated circuit component; Decrypts the information and stores the decoded information into the second integrated circuit component from the integrated circuit component. 7. The method according to claim 6, wherein the information is transmitted after being encrypted. Integrated circuit component. 8. An integrated circuit component for encrypting and decrypting information,   A unique key pair, a device certificate for the manufacturer of the integrated circuit component, and a A non-volatile memory for storing a public key,   A random access memory for storing the information;   Coupled to the non-volatile memory and the random access memory to store the information A processing device for processing internally;   A random number generator coupled to the processing device to generate the unique key pair;   An integrated circuit component coupled to the processing device, wherein at least a second integrated circuit configuration is provided. An interface that allows you to communicate with the element An integrated circuit component comprising: 9. Said interface between an integrated circuit component and a second integrated circuit component; Form a communication link in which the integrated circuit component transmits information transmitted to the integrated circuit component. Information from the integrated circuit element to the second integrated circuit element. 9. The information according to claim 8, wherein said information can be encrypted and transmitted. An integrated circuit component according to claim 1. 10. A host processing means for executing the software program;   Storage means for storing the software program;   Bus means for coupling the host processing means and the storage means;   The cryptographic information input to the agent means is coupled to the bus means and internally Before decrypting and internally encrypting the cryptographic information output from the agent means The agent means A system comprising:   The agent means,     Processing the input encryption information and the output encryption information in the agent Means,     Coupled to the processing means for decrypting the input encryption information and encrypting the output encryption information. A unique key pair to be used for encryption and a device certificate of the manufacturer of the agent means First storage means for storing the information and the manufacturer's public key;     The input encryption information and the output encryption information are temporarily Second storage means for storing;     Generating means coupled to the processing means for generating the unique key pair;     Coupled to the processing means to enable communication between the system and a remote system Interface means to Including system. 11. The first storage means stores the unique data even when power is disconnected from the nonvolatile memory. 11. The non-volatile memory of claim 10, wherein the non-volatile memory maintains key pairs. On-board system. 12. The first storage means further stores an encryption algorithm. The system of claim 11, wherein 13. 13. The system according to claim 12, wherein said first generation means includes a random number generator. Stem. 14． A storage element for storing at least one encryption and decryption program;   A host processor that executes the encryption and decryption programs;   A bus coupling the host processor and the storage element;   Coupled to the bus and internally decoding input information from the remote device; A hardware agent that encrypts output information to remote devices A system comprising:   The hardware agent comprises:     Processing the input information and the output information in the hardware agent; Processor and     Coupled to the processor, all decoding the input information and decoding the output information. A uniquely specified key pair used for encryption, an authenticator certificate, and a manufacturer certificate A nonvolatile storage element for storing an open key;     The input information and the output information processed by the processor are temporarily stored. A volatile storage element for storing the     A random number generator for generating the unique key pair;     Communication between the system and the remote system coupled to the processor Interface that enables Including system. 15. The non-volatile storage element further stores at least one encryption algorithm The system of claim 14, wherein the system is configured to: 16. A method for remote identification and authentication of a pair of hardware agents. hand,   Between the first hardware agent and the second hardware agent Establishing a communication link with   Authenticating the first and second hardware agents;   The second hardware agent has a valid license token From the first hardware agent to determine if Sending an inquiry message to the second hardware agent; ,   The second hardware agent retrieves the valid license token The first hardware agent to the second agent Generating a transfer request message to the client;   The second hardware agent to the first hardware age Transferring the valid license token to an agent;   The first hardware agent after receiving the valid license token. From the agent to the second hardware agent Generating a page;   Terminating the communication link; A method that includes 17． The authentication step   A unique device certificate stored in said first hardware agent. Sending to the second hardware agent;   Communicating with the first hardware agent and communicating with the first hardware agent; Decrypt the unique device certificate and authenticate the first hardware Obtaining a public key of the agent. The method according to item 16, 18. The authentication step   A unique device certificate stored in said second hardware agent. Sending to the first hardware agent;   Communicating with the second hardware agent and communicating with the second hardware agent; Decrypt the unique device certificate and authenticate the second hardware to authenticate the agent. Obtaining the public key of the agent. 19. The authentication step   Encrypted by the public key of the first hardware agent Generating an invitation message;   Sending the challenge message to the second hardware agent Steps and   The second hardware agent decodes the challenge message; Responding to the challenge message;   Encrypted by the public key of the second hardware agent Generating an invitation message;   Sending the challenge message to the first hardware agent Steps and   The first hardware agent decodes the challenge message; Responding to the challenge message. 19. The method according to claim 18. 20. Before the step of generating a transfer request,   The second hardware agent retrieves the valid license token A step in which the second hardware agent determines whether or not And thereby     The second hardware agent has the valid license token Terminating the communication if the user does not own the     The second hardware agent has the valid license token Generate a response message to the inquiry message if the user owns 17. The method of claim 16, further comprising the steps of: